npm-trusted-publishing

Name: npm-trusted-publishing
Rating: 8.4 (6 reviews)
Author: pr-pm

by pr-pm1010GitHub

Provides step-by-step guidance for setting up npm package publishing using GitHub Actions OIDC authentication instead of long-lived tokens. Includes workflow examples, common troubleshooting, and monorepo configuration details.

Unlock Deep Analysis

Use AI to visualize the workflow and generate a realistic output preview for this skill.

Target Audience

JavaScript/TypeScript developers who publish npm packages via GitHub Actions and want to improve security by eliminating long-lived tokens

9/10Security

Low security risk, safe to use

Clarity

Practicality

Quality

Maintainability

Innovation

DevOps

npm-publishinggithub-actionsoidc-authci-cdpackage-management

Compatible Agents

Claude Code

~/.claude/skills/

Codex CLI

~/.codex/skills/

Gemini CLI

~/.gemini/skills/

OpenCode

~/.opencode/skills/

OpenClaw

~/.openclaw/skills/

GitHub Copilot

~/.copilot/skills/

Cursor

~/.cursor/skills/

Windsurf

~/.codeium/windsurf/skills/

Cline

~/.cline/skills/

Roo Code

~/.roo/skills/

Kiro

~/.kiro/skills/

Junie

~/.junie/skills/

Augment Code

~/.augment/skills/

Warp

~/.warp/skills/

Goose

~/.config/goose/skills/

SKILL.md

NPM Trusted Publishing

Overview

Set up secure npm publishing from GitHub Actions using OIDC trusted publishing instead of long-lived NPM_TOKEN secrets.

When to Use

Setting up npm publish workflow in GitHub Actions
Migrating from NPM_TOKEN to trusted publishing
Adding provenance attestations to packages
Publishing monorepo packages

Quick Reference

Requirement	Implementation
GitHub Actions permission	`id-token: write`
package.json field	`repository.url` matching GitHub repo
npm publish flag	`--provenance`
npmjs.com setup	Configure trusted publisher per package

Implementation

1. GitHub Actions Workflow

permissions:
  contents: write
  id-token: write  # Required for OIDC

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          registry-url: "https://registry.npmjs.org"

      - run: npm ci
      - run: npm run build

      # No NODE_AUTH_TOKEN needed - uses OIDC
      - run: npm publish --access public --provenance

2. package.json Repository Field

{
  "name": "@scope/package",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/owner/repo.git",
    "directory": "packages/subpackage"
  }
}

Monorepo note: Include directory field for packages not at repo root.

3. npmjs.com Configuration

For each package, go to Settings > Publishing access and add:

Repository: owner/repo
Workflow: publish.yml (or your workflow filename)
Environment: (optional)

Common Mistakes

Mistake	Fix
Missing `--provenance` flag	Add to npm publish command
Wrong URL format	Use `git+https://github.com/...`
Missing `id-token: write`	Add to workflow permissions
Forgot npmjs.com setup	Configure trusted publisher in package settings
Using NODE_AUTH_TOKEN	Remove - OIDC handles auth
Outdated npm version	Add `npm install -g npm@latest` step (see below)

npm Version Requirement

GitHub Actions runners may have an outdated npm version that doesn't properly support OIDC trusted publishing. This causes a confusing error:

npm notice Access token expired or revoked. Please try logging in again.
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@scope%2fpackage - Not found

Solution: Update npm to latest before publishing:

- uses: actions/setup-node@v4
  with:
    node-version: "20"
    registry-url: "https://registry.npmjs.org"

- name: Update npm to latest
  run: npm install -g npm@latest

- run: npm publish --access public --provenance

See GitHub Community Discussion #173102 for details.

Reference

npm docs: https://docs.npmjs.com/trusted-publishers

Source: https://github.com/pr-pm/prpm#.claude~skills~npm-trusted-publishing

Content curated from original sources, copyright belongs to authors

Grade A

8.4AI Score

Best Practices

Checking...

Try this Skill

User Rating

USER RATING

0UP

0DOWN

Loading files...

WORKS WITH

Claude

Codex

Gemini